RE: Re: translating "route-to (ifname gwy)" to C code
On Thu, 8 Feb 2007, Robbert Kouprie wrote: > I am facing a similar problem as Raja Subramanian had back in july '06. I'm > trying to get ftp-proxy to include 'route-to' statements in its generated pf > rules. Eventually I would even like ftp-proxy to do round-robin across > different gateways. > > > On 7/28/06, Camiel Dobbelaar wrote: > > > > > > On Fri, 28 Jul 2006, Raja Subramanian wrote: > > > > I'm trying to modify the rules generated by ftp-proxy(8), > > > > and I'm getting lost in the the various structs in pfvar.h. > > > > > > Diff here: > > > http://www.sentia.org/downloads/ftp-proxy.routeto > > Unfortunately this link is dead. Is this patch or a newer version including > Bill's updates still available somewhere? I still have that diff if you want it, but to be honest I never really tested it myself beyond compiling. It was only to get Raja going. It gets hairy quickly and I don't think the functionality belongs in a userland program like ftp-proxy. Doesn't the multipath routing in newer versions of OpenBSD just work? -- Cam
Re: Re: translating "route-to (ifname gwy)" to C code
Any work I did on this is here: http://pfsense.com/cgi-bin/cvsweb.cgi/tools/pfPorts/pftpx-routeto/files/ I'm not sure the patches apply to anything recent and I haven't looked at this in 6 months according to CVS. We're not currently using it in pfSense so I'm not sure if it works, or even how much (if any) of it changed from Camiels patch. --Bill On 2/8/07, Robbert Kouprie <[EMAIL PROTECTED]> wrote: Hi Camiel, Bill, I am facing a similar problem as Raja Subramanian had back in july '06. I'm trying to get ftp-proxy to include 'route-to' statements in its generated pf rules. Eventually I would even like ftp-proxy to do round-robin across different gateways. > On 7/28/06, Camiel Dobbelaar wrote: > > > > On Fri, 28 Jul 2006, Raja Subramanian wrote: > > > I'm trying to modify the rules generated by ftp-proxy(8), > > > and I'm getting lost in the the various structs in pfvar.h. > > > > Diff here: > > http://www.sentia.org/downloads/ftp-proxy.routeto Unfortunately this link is dead. Is this patch or a newer version including Bill's updates still available somewhere? Regards, Robbert
RE: Re: translating "route-to (ifname gwy)" to C code
Hi Camiel, Bill, I am facing a similar problem as Raja Subramanian had back in july '06. I'm trying to get ftp-proxy to include 'route-to' statements in its generated pf rules. Eventually I would even like ftp-proxy to do round-robin across different gateways. > On 7/28/06, Camiel Dobbelaar wrote: > > > > On Fri, 28 Jul 2006, Raja Subramanian wrote: > > > I'm trying to modify the rules generated by ftp-proxy(8), > > > and I'm getting lost in the the various structs in pfvar.h. > > > > Diff here: > > http://www.sentia.org/downloads/ftp-proxy.routeto Unfortunately this link is dead. Is this patch or a newer version including Bill's updates still available somewhere? Regards, Robbert smime.p7s Description: S/MIME cryptographic signature
Re: translating "route-to (ifname gwy)" to C code
On 7/28/06, Camiel Dobbelaar <[EMAIL PROTECTED]> wrote:
On Fri, 28 Jul 2006, Raja Subramanian wrote:
> I'm trying to modify the rules generated by ftp-proxy(8),
> and I'm getting lost in the the various structs in pfvar.h.
Diff here:
http://www.sentia.org/downloads/ftp-proxy.routeto
I only checked the rule output, not if it really works as I don't have
multiple gateways.
getopt not implemented yet either, adjust routeto and routeto_if in main()
manually. The default is (lo0 127.0.0.1), without adjustment this will
break normal setups horribly.
Let us know how it works out.
Got this working with a single egress network (no need for route-to in
my test environment) and had an issue with active mode FTP. The
add_filter() call in active mode needs to not put a route-to and I
think the pass in rule needs to have a reply-to, probably a simple
modification to add_filter() to switch on the direction and do
reply-to or route-to based on direction.
I added the switch in add_filter()
+ if (routeto_if && routeto) {
+ switch (dir) {
+ case PF_OUT:
+ pfr.rule.rt = PF_ROUTETO;
+ break;
+ case PF_IN:
+ pfr.rule.rt = PF_REPLYTO;
+ break;
+ }
+ if (routeto->sa_family == AF_INET) {
and updated the active mode call
@@ -472,13 +472,13 @@
}
/* pass in from $server to $client port $port */
- if (add_filter(s->id, PF_IN, server_sa, client_sa, s->port) ==
- -1)
+ if (add_filter(s->id, PF_IN, server_sa, client_sa, s->port,
+routeto_if, sstosa(&routeto_ss)) == -1)
goto fail;
/* pass out from $orig_server to $client port $port */
- if (add_filter(s->id, PF_OUT, orig_sa, client_sa, s->port) ==
- -1)
+ if (add_filter(s->id, PF_OUT, orig_sa, client_sa, s->port,
+ NULL, NULL) == -1)
goto fail;
so the PF_OUT call doesn't do a route/reply-to but the PF_IN does.
Other than testing that active and passive modes still work, I can't
do a heck of alot more.
--Bill
Re: translating "route-to (ifname gwy)" to C code
On Fri, 28 Jul 2006, Raja Subramanian wrote: > I'm trying to modify the rules generated by ftp-proxy(8), > and I'm getting lost in the the various structs in pfvar.h. Diff here: http://www.sentia.org/downloads/ftp-proxy.routeto I only checked the rule output, not if it really works as I don't have multiple gateways. getopt not implemented yet either, adjust routeto and routeto_if in main() manually. The default is (lo0 127.0.0.1), without adjustment this will break normal setups horribly. Let us know how it works out. -- Cam
